K8S API资源—ApiGroup、Resources和Verbs
一、Kubernetets API总览
REST API 是 Kubernetes 的基础架构。组件之间的所有操作和通信,以及外部用户命令都是 API Server 处理的 REST API 调用。因此,Kubernetes 平台中的所有资源被视为 API 对象,并且在 API 中都有对应的定义项。
API 版本控制
为了消除字段或重组资源表示形式,Kubernetes 支持多个 API 版本,每个版本在不同的 API 路径下。例如:/api/v1 或者 /apis/extensions/v1beta1。
版本是在 API 级别而非资源或字段级别配置的:
- 确保 API 呈现出清晰一致的系统资源和行为视图。
- 允许控制对已寿终正寝的 API 和/或实验性 API 的访问。 JSON 和 Protobuf 序列化模式在出现模式变更时均遵循这些准则。以下说明同时适用于这两种格式。
API 结构组成
https://127.0.0.1:6443/api/v1/pods
解释 组成
API Server address https://127.0.0.1:6443/
Core API group api/v1
API Object pods
https://127.0.0.1:6443/apis/extensions/v1beta/deployments
解释 组成
API Server address https://127.0.0.1:6443/
Core API group apis
API Group name extensions
API Version v1beta
API Object deployments
二、API版本列表
apiGroups APIgroup就是apiversion中的一部分,apiversion = Apigroup/version >>kubectl api-version admissionregistration.k8s.io/v1 admissionregistration.k8s.io/v1beta1 apiextensions.k8s.io/v1 apiextensions.k8s.io/v1beta1 apiregistration.k8s.io/v1 apiregistration.k8s.io/v1beta1 apps/v1 authentication.k8s.io/v1 authentication.k8s.io/v1beta1 authorization.k8s.io/v1 authorization.k8s.io/v1beta1 autoscaling/v1 autoscaling/v2beta1 autoscaling/v2beta2 batch/v1 batch/v1beta1 certificates.k8s.io/v1beta1 coordination.k8s.io/v1 coordination.k8s.io/v1beta1 discovery.k8s.io/v1beta1 events.k8s.io/v1beta1 extensions/v1beta1 networking.k8s.io/v1 networking.k8s.io/v1beta1 node.k8s.io/v1beta1 policy/v1beta1 rbac.authorization.k8s.io/v1 rbac.authorization.k8s.io/v1beta1 scheduling.k8s.io/v1 scheduling.k8s.io/v1beta1 storage.k8s.io/v1 storage.k8s.io/v1beta1 v1 core: 一般在可以直接设为空
三、Resources
$ kubectl api-resources -o wide NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS bindings true Binding [create] componentstatuses cs false ComponentStatus [get list] configmaps cm true ConfigMap [create delete deletecollection get list patch update watch] endpoints ep true Endpoints [create delete deletecollection get list patch update watch] events ev true Event [create delete deletecollection get list patch update watch] limitranges limits true LimitRange [create delete deletecollection get list patch update watch] namespaces ns false Namespace [create delete get list patch update watch] nodes no false Node [create delete deletecollection get list patch update watch] persistentvolumeclaims pvc true PersistentVolumeClaim [create delete deletecollection get list patch update watch] persistentvolumes pv false PersistentVolume [create delete deletecollection get list patch update watch] pods po true Pod [create delete deletecollection get list patch update watch] podtemplates true PodTemplate [create delete deletecollection get list patch update watch] replicationcontrollers rc true ReplicationController [create delete deletecollection get list patch update watch] resourcequotas quota true ResourceQuota [create delete deletecollection get list patch update watch] secrets true Secret [create delete deletecollection get list patch update watch] serviceaccounts sa true ServiceAccount [create delete deletecollection get list patch update watch] services svc true Service [create delete get list patch update watch] mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration [create delete deletecollection get list patch update watch] validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration [create delete deletecollection get list patch update watch] customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition [create delete deletecollection get list patch update watch] apiservices apiregistration.k8s.io false APIService [create delete deletecollection get list patch update watch] controllerrevisions apps true ControllerRevision [create delete deletecollection get list patch update watch] daemonsets ds apps true DaemonSet [create delete deletecollection get list patch update watch] deployments deploy apps true Deployment [create delete deletecollection get list patch update watch] replicasets rs apps true ReplicaSet [create delete deletecollection get list patch update watch] statefulsets sts apps true StatefulSet [create delete deletecollection get list patch update watch] tokenreviews authentication.k8s.io false TokenReview [create] localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview [create] selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview [create] selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview [create] subjectaccessreviews authorization.k8s.io false SubjectAccessReview [create] horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler [create delete deletecollection get list patch update watch] cronjobs cj batch true CronJob [create delete deletecollection get list patch update watch] jobs batch true Job [create delete deletecollection get list patch update watch] certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest [create delete deletecollection get list patch update watch] leases coordination.k8s.io true Lease [create delete deletecollection get list patch update watch] endpointslices discovery.k8s.io true EndpointSlice [create delete deletecollection get list patch update watch] events ev events.k8s.io true Event [create delete deletecollection get list patch update watch] ingresses ing extensions true Ingress [create delete deletecollection get list patch update watch] ingresses ing networking.k8s.io true Ingress [create delete deletecollection get list patch update watch] networkpolicies netpol networking.k8s.io true NetworkPolicy [create delete deletecollection get list patch update watch] runtimeclasses node.k8s.io false RuntimeClass [create delete deletecollection get list patch update watch] poddisruptionbudgets pdb policy true PodDisruptionBudget [create delete deletecollection get list patch update watch] podsecuritypolicies psp policy false PodSecurityPolicy [create delete deletecollection get list patch update watch] clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding [create delete deletecollection get list patch update watch] clusterroles rbac.authorization.k8s.io false ClusterRole [create delete deletecollection get list patch update watch] rolebindings rbac.authorization.k8s.io true RoleBinding [create delete deletecollection get list patch update watch] roles rbac.authorization.k8s.io true Role [create delete deletecollection get list patch update watch] priorityclasses pc scheduling.k8s.io false PriorityClass [create delete deletecollection get list patch update watch] csidrivers storage.k8s.io false CSIDriver [create delete deletecollection get list patch update watch] csinodes storage.k8s.io false CSINode [create delete deletecollection get list patch update watch] storageclasses sc storage.k8s.io false StorageClass [create delete deletecollection get list patch update watch] volumeattachments storage.k8s.io false VolumeAttachment [create delete deletecollection get list patch update watch]
四、角色示例
在以下示例中,我们仅截取展示了 rules 对应部分, 允许读取在核心 API 组 下的 Pods:
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"]
允许读/写在 “extensions” 和 “apps” API 组中的 “deployments” 资源:
rules: - apiGroups: ["extensions", "apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
允许读取 “pods” 和读/写 “jobs” :
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: ["batch", "extensions"] resources: ["jobs"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
允许读取名称为 “my-config”的 ConfigMap (需要通过 RoleBinding 绑定带某名字空间中特定的 ConfigMap):
rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["my-config"] verbs: ["get"]
允许读取在核心组中的 “nodes” 资源(因为 Node 是集群范围的,所以需要 ClusterRole 绑定到 ClusterRoleBinding 才生效)
rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"]
